Woodpecker
CVE-2024-41121
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Woodpecker is a simple yet powerful CI/CD engine with great extensibility. The server allow to create any user who can trigger a pipeline run malicious workflows: 1. Those workflows can either lead to a host takeover that runs the agent executing the workflow. 2. Or allow to extract the secrets who would be normally provided to the plugins who's entrypoint are overwritten. This issue has been addressed in release version 2.7.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AnalysisAI
Woodpecker is a simple yet powerful CI/CD engine with great extensibility. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-74. Woodpecker is a simple yet powerful CI/CD engine with great extensibility. The server allow to create any user who can trigger a pipeline run malicious workflows: 1. Those workflows can either lead to a host takeover that runs the agent executing the workflow. 2. Or allow to extract the secrets who would be normally provided to the plugins who's entrypoint are overwritten. This issue has been addressed in release version 2.7.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Woodpecker-Ci Woodpecker. Version information: version 2.7.0..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Woodpecker
View allApproval-gate bypass in Woodpecker CI before 3.15.0 lets an attacker who can open a merge request from a fork against a
Woodpecker is a simple yet powerful CI/CD engine with great extensibility. Rated high severity (CVSS 8.8), this vulnerab
Woodpecker is a community fork of the Drone CI system. Rated high severity (CVSS 8.1), this vulnerability is remotely ex
Unauthenticated NULL pointer dereference in Woodpecker CI before 3.15.0 allows any network attacker to flood server logs
Woodpecker before 0.15.1 allows XSS via build logs because web/src/components/repo/build/BuildLog.vue lacks escaping. Ra
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today